Non-autonomous dynamical orbit cryptography

ABSTRACT

NADO is a process for encrypting and decrypting information in a variety of cryptographic devices. The underlying process is a fast stream-like cipher that can be implemented efficiently in analog or digital hardware or in software. The NADO process makes use of three novel methods in cryptography: 1) A sequence of permutations which scrambles and spreads out the encrypted information; (2) A state generator built with a non-autonomous dynamical system to generate an unpredictable sequence of states; (3) One or more perturbators which perturb both the non-autonomous dynamical system and the sequence of permutations in a non-periodic way.

FEDERALLY SPONSORED RESEARCH

[0001] NOT APPLICABLE.

Computer Program

[0002] Attached with this patent application is a CD-ROM. A file named NADO.jar contains the JAVA byte code that implements an embodiment of NADO cryptography.

BACKGROUND

[0003] 1. Field of Invention

[0004] The present invention relates broadly to cryptographic methods and devices, and in particular to stream cipher and block cipher methods used in these methods and devices. This invention is also applicable in other fields, such as pseudo-random number generators, used by algorithms that require random numbers. Cryptographic devices and methods are generally used to encrypt and decrypt information transmitted through communication and transmission systems. However, they also may be used to encrypt passive data stored on a computer or another physical device such as a tape drive. Typically, the message is encrypted by a sending agent using a unique key, and the encrypted message, called ciphertext, is transmitted to a receiving agent. Using the same unique key, the receiving agent applies a decryption device or method to the ciphertext. The output of this decryption device or method is the same message that the sending agent gathered before encrypting and sending it.

[0005] 2. Prior Art

[0006] In the references, section X, [SCHNEIER] provides a description of many of the cryptographic systems mentioned here.

[0007] U.S. Pat. Nos. 4,218,582 and 4,405,829 are examples of public-key encryption systems. U.S. Pat. No. 4,218,582 has been shown to be insecure. U.S. Pat. No. 4,405,829 (RSA) is based on number theory. RSA relies on the fact that no one currently knows of a computationally effective way to factor the product of two extremely large unknown prime numbers. While RSA is believed to be secure, it is too slow for computationally demanding encryption applications unless specialized hardware is built to execute its algorithms. Even in hardware, RSA is a few orders of magnitude slower than DES, which is a private-key system. Consequently, RSA is most useful for distributing private keys, utilized by private-key encryption systems, and for implementing protocols. As aptly stated in [SCHNEIER], public-key cryptography is best for key management and a myriad of protocols. Symmetric private-key cryptography is best for encrypting data.

[0008] DES is a commercial block cipher private-key cryptographic system. DES is commonly used by commercial banks, financial institutions and other unclassified government agencies. “DES has been traditionally used by banks and other financial institutions for protecting the transmission of the funds and other transactions requiring high security.”, [NYTIMES]. In 1998, Paul Kocher demonstrated a hardware device that cracked a DES encrypted message in 56 hours. The cost of building the hardware device was less than 250,000 U.S. dollars.

[0009] Overall, up to this point in time, the use of non-autonomous dynamical systems applied to cryptography has not been proposed. (See subsections VI.D, VI.E, VI.G, and VI.I) While permutations have been utilized in cryptography for at least 75 years, [SCHNEIER, pp. 11-13], usually one or two permutations are used and these permutations stay fixed for a given key. (See U.S. Pat. Nos. 4,255,811; 4,316,055; 5,001,753; 5,297,207; 5,511,123). Using a sequence of permutations with different lengths to reorder a sequence of information or states has not been proposed. (See subsection VI.C.) The use of permutations to generate a non-autonomous dynamical system is new; and the use of inverse permutations to transpose elements of the permutation is also new. (See subsection VI.I.) Similarly, up to this point in time, creating a non-autonomous dynamical system, using n by n matrix multiplication on n by 1 matrices has not been proposed as an encryption process. (See subsections VI.E and VI.G.) Lastly, the creation of a Perturbator to break up periodic behavior in any kind of dynamical system, in particular any encryption process, is new. (See subsections VI.F and VI.H.)

SUMMARY AND ADVANTAGES OF INVENTION

[0010] Non-autonomous dynamical orbit (NADO) cryptography is a process for encrypting and decrypting information. The underlying process is a fast stream-like cipher that may be implemented efficiently in analog or digital hardware or software. The NADO process makes use of four novel concepts in cryptography: (1) A sequence of permutations which scrambles and spreads out the encrypted information; (2) A state generator built with a non-autonomous dynamical system to generate an unpredictable sequence of states; (3) One or more perturbators which over time change both the non-autonomous dynamical system and the sequence of permutations in a non-periodic way. (4) The use of the key to build the non-autonomous system and sequence of permutations.

[0011] NADO uses a symmetric private key to generate the mathematical systems in (1), (2), and (3). Furthermore, NADO composes these mathematical systems in a unique way, creating an astronomical number of possibilities to check in a brute-force attack. The composition of these systems makes NADO unbreakable to a brute-force attack with current computer technology.

[0012] One of the important advantages over previous methods is the difficulty of breaking this encryption method. The number of calculations required to crack the cipher is astronomical. At the same time, the executable code that implements NADO requires a small amount of computer memory. A second advantage is that without using any type of specialized hardware nor any type of data compression, the encryption processes of NADO execute much faster, as a function of the difficulty of cracking NADO. Its security and speed enable applications such as real-time encryption of wireless transmissions, demanding real-time military software, real-time embedded systems, commercial real-time networking, and real-time internet applications. A third advantage is that NADO requires smaller key sizes and enables variable-sized keys. A fourth advantage is that statistical tests on NADO-encrypted data show that plain-text attacks are as difficult as brute-force attacks.

[0013] Lastly, it can be mathematically shown that a broad class of current encryption algorithms generate a sequence of states that exhibit eventual periodicity. (See subsection VI.I.) It is possible that someone could propose a method of using this eventual periodicity to decode a message encrypted by these kinds of encryption algorithms—even for extremely large periods. NADO presents a new notion called a Perturbator to break up this eventual periodicity.

[0014] Further objects and advantages of NADO will become apparent from the attached software and ensuing description.

DETAILED DESCRIPTION OF THE INVENTION

[0015] In this section, subsection A presents the general cryptographic process. Subsections B, C, D, and F explain definitions and concepts needed to discuss particular embodiments of the cryptographic process. Subsections E, F, G, H, I, J present embodiments of the NADO cryptographic process. Subsection J shows how to build instantiations of NADO from the key. Subsection K summarizes key distribution. Subsections L and M describe the JAVA byte code that executes two embodiments of NADO.

[0016] A. Cryptographic Process

[0017] In this patent, information that has not been encrypted is called a message: Please wire ±50,000 to account 349-921118. Information that has been encrypted is called ciphertext: +,−3y=0z14.* 5A,0QxR4c

e;iu-j″:9b?2P-)1X[0t.

[0018] There are two ways to implement the cryptographic process.

[0019] Method A Encryption:

[0020] The expression [d₁, d₂, d₃, d₄, d₅, . . . , d_(n), . . . ] represents a message.

[0021] i. Use a key to build a state generator, and a sequence of permutations. (Subsection J.)

[0022] ii. Apply the sequence of permutations to the message so that the order is permuted: [d_(i) ₁ , d_(i) ₂ , d_(i) ₃ , d_(i) ₄ , d_(i) ₅ , . . . , d_(i) _(n) , . . . ]. (Subsections B and C.)

[0023] iii. Use the state generator to create a sequence of states: [s₁, s₂, s₃, s₄, s₅, . . . , s_(n), . . . ]. (Subsections D, E, F, G, H, and I.)

[0024] iv. Use state s₁ to encrypt message element d_(i) ₁ . Use state s₂ to encrypt message element d_(i) ₂ . Use state s₃ to encrypt message element d_(i) ₃ , and continue on, all the way up to use state s_(n) to encrypt message element d_(i) _(n) . And so on.

[0025] Method A Decryption:

[0026] The expression [c₁, c₂, c₃, c₄, c₅, . . . , c_(n), . . . ] represents ciphertext (encrypted message).

[0027] i. Use a key to build a state generator, and a sequence of inverse permutations. (Subsection J.)

[0028] ii. Apply the sequence of inverse permutations to the ciphertext so that the order is permuted: [c_(i) ₁ , c_(i) ₂ , c_(i) ₃ , c_(i) ₄ , c_(i) ₅ , . . . , c_(i) _(n) , . . . ]. (Subsections B and C.)

[0029] iii. Use the state generator to create a sequence of states: [s₁, s₂, s₃, s₄, s₅, . . . , s_(n), . . . ]. (Subsections D, E, F, G, H, and I.)

[0030] iv. Use state s₁ to decrypt ciphertext element c_(i) ₁ . Use state s₂ to decrypt ciphertext element c_(i) ₂ . Use state s₃ to decrypt ciphertext element c_(i) ₃ , and continue on, all the way up to use state s_(n) to decrypt ciphertext element c_(i) _(n) . And so on.

[0031] Method B Encryption:

[0032] The expression [d₁, d₂, d₃, d₄, d₅, . . . , d_(n), . . . ] represents a message.

[0033] i. Use a key to build a state generator, and a sequence of permutations. (Subsection J.)

[0034] ii. Use the state generator to create a sequence of states: [s₁, s₂, s₃, s₄, s₅, . . . s_(n), . . . ]. (Subsections D, E, F, G, H, and I.)

[0035] iii. Apply the sequence of permutations to the sequence of states so that the order is permuted: [s_(i) ₁ , s_(i) ₂ , s_(i) ₃ , s_(i) ₄ , s_(i) ₅ , . . . , s_(i) _(n) , . . . ]. (Subsections B and C.)

[0036] iv. Use state s_(i) ₁ to encrypt message element d₁. Use state s_(i) ₂ to encrypt message element d₂. Use state s_(i) ₃ to encrypt message element d₃, and continue on, all the way up to use state s_(i) _(n) to encrypt message element d_(n). And so on.

[0037] Method B Decryption:

[0038] The expression [c₁, c₂, c₃, c₄, c₅, . . . , c_(n), . . . ] represents ciphertext (encrypted message).

[0039] i. Use a key to build a state generator, and a sequence of inverse permutations. (Subsection J).

[0040] ii. Use the state generator to create a sequence of states: [s₁, s₂, s₃, s₄, s₅, . . . , s_(n), . . . ]. (Subsections D, E, F, G, H, and I).

[0041] iii. Apply the sequence of inverse permutations to the sequence of states so that the order is permuted: [s_(i) ₁ , s_(i) ₂ , s_(i) ₃ , s_(i) ₄ , s_(i) ₅ , . . . , s_(i) _(n) , . . . ]. (Subsections B and C).

[0042] iv. Use state s_(i) ₁ to decrypt ciphertext element c₁. Use state s_(i) ₂ to decrypt ciphertext element c₂. Use state s_(i) ₃ to decrypt ciphertext element c₃, and continue on, all the way up to use state s_(i) _(n) to decrypt ciphertext element c_(n). And so on.

[0043] Comments on Method A

[0044] In method A, step iii may precede ii or step ii may precede iii, or they can be executed simultaneously.

[0045] Comments on Step iv.

[0046] In step iv of methods A and B, there are many ways to implement both the function that encrypts the message element with the corresponding state element, and the inverse function that decrypts the ciphertext element with the corresponding state element.

[0047] Let ƒ denote the function used to encrypt message element d with state element S.

[0048] Then the encrypted (ciphertext) element is c=f(d, s). When decrypting ciphertext element c with state s, then the inverse of ƒ is used, denoted as ƒ⁻¹. In this case, the decrypted element is ƒ⁻¹(c, s). Observe that ƒ⁻¹(ƒ(d, s), s)=d must hold so that the receiver can decrypt the encrypted message. ƒ⁻¹(ƒ(d, s), s)=d is just a mathematical way of representing a simple idea: The sender encrypts a message; after the receiver decrypts this encrypted message, the receiver is able to read and understand the message.

[0049] The function ƒ should have the following two properties:

[0050] (1) The function must be invertible i.e. ƒ⁻¹(ƒ(d, s), s)=d.

[0051] (2) The function and its inverse function must execute fast on a computer.

[0052] There are three preferred implementations of ƒ. First, the binary operator Exclusive-OR, denoted by ⊕, is the most preferable on digital computers because it and its inverse are extremely fast. (The Exclusive-OR function is its own inverse.) ⊕ is a binary operator obeying the following rules: 1⊕0=1. 0⊕1=1. 0⊕0=0. 1⊕1=0. If the state s and d are represented by more than one bit, then the bitwise Exclusive-OR function is defined by applying ⊕ to corresponding bits. As an example, suppose the message element d=[10110000], and the state s=[00101110]. In this case, ⊕(d, s)=[1⊕0, 0⊕0, 1⊕1, 1⊕0, 0⊕1, 0⊕1, 0⊕1, 0⊕0]=[10011110].

[0053] Second, suppose L is the number of distinct values that message element d or state s can be assigned. One can define ƒ(d, s)=(d+s) modulo L, and the inverse ƒ⁻¹(c, s)=(c−s) modulo L. Vice versa also works: ƒ(d, s)=(d−s) modulo L, and ƒ⁻¹(c, s)=(c+s) modulo L.

[0054] When K is a non-negative integer, K modulo n means divide K by n and the answer is the remainder. 29 modulo 8 equals 5 because 5 is the remainder when you divide 29 by 8. When K is a negative integer, the definition changes. Add the smallest positive multiple of n that makes the sum of K and this multiple greater than or equal to 0. More precisely, K modulo n equals K+c*n, where c is the smallest positive integer such that (K+c*n)≧0. As an example, −263 modulo 256 equals −263+(2*256)=249. Another example, −26 modulo 8 equals −26+(4*8)=6.

[0055] Third, defining ƒ as a particular permutation is fast and its inverse is fast too. The next subsection covers permutations.

[0056] B. The First Mathematical System

[0057] Step ii of method A applies a sequence of permutations when encrypting a message, and step iii of method B applies a sequence of inverse permutations when decrypting ciphertext. In method A, while encrypting the message, the purpose is to scramble the order of the message. In method B, while encrypting the message, the purpose is to scramble the order of a sequence of states.

[0058] In method A, when decrypting the ciphertext, the purpose is to unscramble the order of a sequence of ciphertext elements. In method B, when decrypting the ciphertext, the purpose is to unscramble the order of a sequence of states.

[0059] Let the symbol S denote a set. S can be a finite or infinite set. A permutation is a function σ: S→S that sends elements of S to elements of S, is 1 to 1, and is onto. 1 to 1 means that no two distinct elements from S get mapped by σ to the same element. More formally, if s₁, s₂ are any two distinct element from S, in other words s₁≠s₂, then σ(s₁)≠σ(s₂). Onto means that if you choose any element r from S, you can find an element s so that σ maps s to r. In other words, for any element r from S, there is some element s in S satifying σ(s)=r. In the context of cryptography, the properties 1 to 1, and onto are useful because they help assure that a sequence of a message or states that have been scrambled by a permutation(s) can be unscrambled by the inverse permutation(s).

[0060] The identity permutation is the permutation that sends every element to itself. Formally, i: S→S. For every element s in S, i(s)=s. As an example, choose S to be the numbers 0 thru 4, inclusive. The identity i sends every element to itself means that i(0)=0, i(1)=1, i(2)=2, i(3)=3, and i(4)=4.

[0061] A finite permutation is a permutation on a finite set. Any finite permutation can be represented as a finite sequence of numbers. The word ‘sequence’ means that the order of the numbers matters. The sequence [0, 1] is not the same sequence as (1, 0]. Square brackets [ ] represent a sequence.

[0062] The sequence, [0, 1, 2, 3, 4], represents the identity permutation on S. This sequence is interpreted as a permutation in the following way. The number 0 is at the beginning of the sequence, so i(0)=0. The next number in the sequence is 1, so i(1)=1. The number 2 follows 1 in the sequence, so i(2)=2. The number 3 follows 2 in the sequence, so i(3)=3. Finally, 4 follows 3 in the sequence, so i(4)=4.

[0063] As a different example, choose S to be the numbers 0 thru 7, inclusive. Choose λ=[1, 5, 3, 6, 7, 2, 4, 0]. The number 1 is at the beginning of the sequence, so λ(0)=1. The next number in the sequence is 5, so λ(1)=5. The number 3 follows 5, so λ(2)=3. Similarly, λ(3)=6, λ(4)=7, λ(5)=2, λ(6)=4, and λ(7)=0.

[0064] There is a simple way to check that λ is 1 to 1 and onto. Check that all 8 numbers are in the sequence, and make sure none of these numbers occurs in the sequence more than once.

[0065] If σ is a permutation, then the inverse of σ is denoted σ⁻¹. When you apply σ and then apply σ⁻¹, or vice versa, this composite function is the identity map. Formally, σ∘σ⁻¹=σ⁻¹∘σ=i. In other words, the function σ∘σ⁻¹ sends every element to itself, and the function σ⁻¹∘σ maps every element to itself.

[0066] The inverse of λ, denoted λ⁻¹, is represented by the sequence, [7, 0, 5, 2, 6, 1, 3, 4]. The following analysis verifies that this sequence defines the inverse of lambda. From the sequence, λ⁻¹(0)=7, λ⁻¹(1)=0, λ⁻¹(2)=5, λ⁻¹(3)=2, λ⁻¹(4)=6, λ⁻¹(5)=1, λ⁻¹(6)=3, and λ⁻¹(7)=4. Next, check that λ∘λ⁻¹(0)=λ(7)=0, λ∘λ⁻¹(1)=λ(0)=1, λ∘λ⁻¹(2)=λ(5)=2, λ∘λ⁻¹(3)=λ(2)=3, λ∘λ⁻¹(4)=λ(6)=4, λ∘λ⁻¹(5)=λ(1)=5, λ∘λ⁻¹(6)=λ(3)=6, λ∘λ⁻¹(7)=λ(4)=7.

[0067] This paragraph defines two different operations on a permutation. A transposition is an operation that swaps two elements in a permutation. Let σ=[1, 0, 2, 6, 7, 5, 3, 4] be the initial permutation. Transpose 2 and 5 in σ. After the transposition, σ=[1, 0, 5, 6, 7, 2, 3, 4]. A rotation is an operation that rotates the elements in a permutation. Let σ=[1, 0, 2, 6, 7, 5, 3, 4] be the initial permutation. After a rotation, the new permutation is σ=[4, 1, 0, 2, 6, 7, 5, 3].

[0068] Any permutation can be constructed efficiently using transpositions. The following example illustrates how to build λ starting with the identity permutation and using only transpositions. The identity permutation on 8 elements is represented by the sequence: [0, 1, 2, 3, 4, 5, 6, 7]

[0069] TRANSPOSE 1 and 0: [1, 0, 2, 3, 4, 5, 6, 7].

[0070] TRANSPOSE 5 and 0: [1, 5, 2, 3, 4, 0, 6, 7].

[0071] TRANSPOSE 3 and 2: [1, 5, 3, 2, 4, 0, 6, 7].

[0072] TRANSPOSE 6 and 2: [1, 5, 3, 6, 4, 0, 2, 7].

[0073] TRANSPOSE 7 and 4: [1, 5, 3, 6, 7, 0, 2, 4].

[0074] TRANSPOSE 2 and o: [1, 5, 3, 6, 7, 2, 0, 4].

[0075] TRANSPOSE 4 and o: [1, 5, 3, 6, 7, 2, 4, 0].

[0076] It took only 7 transpositions to change the identity permutation to the permutation λ. Starting with the identity permutation, it takes at most 8 transpositions to generate any of the possible permutations. There are a total of 8! possible permutations, where 8! is a shorthand method of representing the first 8 numbers multiplied times each other: 1*2*3*4*5*6*7*8=40320.

[0077] In cryptography applications, we recommend permutations of size greater than 46 because 47! is greater than 10⁵⁹. 10⁵⁹ is an overwhelming number of possibilities to check with current computers and will be in the foreseeable future. For a permutation of size 256, the number of possible permutations is greater than 10⁵⁰⁶. In the future, as the speed of computers improves, one should increase the size of the permutations used to make brute-force attacks impractical.

[0078] If S has n elements, it takes at most n transpositions to construct any permutation on S. The general procedure for constructing any of the n! permutations is similar to the steps already mentioned. Start with the identity permutation, and then execute n transpositions.

[0079] Initialize σ equal to the identity permutation, [0, 1, 2, 3, . . . , n−2, n−1].

[0080] Execute the steps inside the brackets at least n times.

[0081] {

[0082] Randomly choose two distinct natural numbers i≠k, satisfying 0≦i, k<n.

[0083] Transpose the ith element and the kth element in σ.

[0084] }

[0085] This procedure is shown for a permutation of length 32. Initialize σ equal to the identity permutation:

[0086] [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31].

[0087] Choose 21 and 4 randomly. Transpose the 21st and 4th elements.

[0088] [0, 1, 2, 3, 21, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 4, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]

[0089] Choose 27 and 14 randomly. Transpose the 27th and 14th elements.

[0090] [0, 1, 2, 3, 21, 5, 6, 7, 8, 9, 10, 11, 12, 13, 27, 15, 16, 17, 18, 19, 20, 4, 22, 23, 24, 25, 26, 14, 28, 29, 30, 31]

[0091] Choose 29 and 4 randomly. Transpose the 29th and 4th elements.

[0092] [0, 1, 2, 3, 29, 5, 6, 7, 8, 9, 10, 11, 12, 13, 27, 15, 16, 17, 18, 19, 20, 4, 22, 23, 24, 25, 26, 14, 28, 21, 30, 31]

[0093] Choose 11 and 17 randomly. Transpose the 11th and 17th elements.

[0094] [0, 1, 2, 3, 29, 5, 6, 7, 8, 9, 10, 17, 12, 13, 27, 15, 16, 11, 18, 19, 20, 4, 22, 23, 24, 25, 26, 14, 28, 21, 30, 31]

[0095] Continue these steps for another 28 transpositions to build a random permutation on 32 elements. This method of constructing an arbitrary permutation is important because it prevents an intruder from trying to guess the permutation. A potential intruder can not eliminate permutations that may be unreachable by some other algorithm that constructs a permutation. In our case, the intruder must check on average $\frac{n!}{2}$

[0096] possibilities. Further, transpositions can be executed very quickly on a digital computer. A permutation σ of size 256 requires only 256 memory swaps, and about 2*256=512 bytes of memory to store σ and the inverse of σ. On the other hand, a brute force attack requires checking more than 10⁵⁰⁶ permutations because $\frac{256!}{2} > {10^{506}.}$

[0097] >10⁵⁰⁶. This transposition method is able to generate an astronomical number of possibilities to check, using very little computation (256 memory swaps), and a small amount of memory.

[0098] C. Permuting Information and States

[0099] This section explains the method of using permutations to change the order of a sequence of information or a sequence of states.

[0100] Let D=[d₀, d₁, d₂, d₃, d₄, d₅, d₆, d₇, d₈, d₉, d₁₀, d₁₁, d₁₂] be a sequence of a message with 13 elements. Each message element, d_(i), represents n_(i) bits, where n_(i)≧1. Define the permutation λ of length 4 to be [2, 0, 3, 1]. This means that λ(0)=2, λ(1)=0, λ(2)=3, and λ(3)=1. Define the permutation a of length 6 to be σ=[4, 2, 0, 5, 3, 1]. This means that σ(0)=4, σ(1)=2, σ(2)=0, σ(3)=5, σ(4)=3, and σ(5)=1. Define γ=[2,0,1]. Then γ(0)=2, γ(1)=0, and γ(2)=1.

[0101] Apply λ to permute the first 4 elements of D, apply σ to permute the next 6 elements of D, and apply γ to permute the last 3 elements of D. The new permuted message sequence is:

[0102] [d_(λ(0)), d_(λ(0)), d_(λ(2)), d_(λ(3)), d_(σ(0)+4), d_(σ(1)+4), d_(σ(2)+4), d_(σ(3)+4), d_(σ(4)+4), d_(σ(5)+4), d_(γ(0)+10), d_(γ(1)+10), d_(γ(2)+10)],

[0103] which equals [d₂, d₀, d₃, d₁, d₈, d₆, d₄, d₉, d₇, d₅, d₁₂, d₁₀, d₁₁].

[0104] This paragraph provides further details on how to apply σ to the subsequence, [d₄, d₅, d₆, d₇, d₈, d₉], of the message sequence D. Applying σ creates a new permuted subsequence [d₈, d₆, d₄, d₉, d₇, d₅]. The 0th element of the permuted subsequence is d₈ because σ(0)+4=8. The first element of the permuted subsequence is d₆ because σ(1)+4=6. The second element of the permuted subsequence is d₄ because σ(2)+4=4. The third element of the permuted subsequence is d₉ because σ(3)+4=9. The fourth element of the permuted subsequence is d₇ because σ(4)+4=7. The fifth element of the permuted subsequence is d₅ because σ(5)+4=5. Notice that 4 is added each time because 4 is the sum of the lengths of the previous permutations applied to D. In this particular case, λ is the only previous permutation applied to D and λ's length is 4 so the sum is 4.

[0105] This paragraph provides further details on how to apply γ to the subsequence, [d₁₀, d₁₁, d₁₂], of the message sequence D. Applying γ creates a new permuted subsequence [d₁₂, d₁₀, d₁₁]. The 0th element of the permuted subsequence is d₁₂ because γ(0)+10=12. The first element of the permuted subsequence is d₁₀ because γ(1)+10=10. The second element of the permuted subsequence is d₁₁ because γ(2)+10=11. Notice that 10 is added each time because 10 is the sum of the lengths of the previous permutations, λ and σ, applied to D.

[0106] In a similar way, use λ, σ, and γ to permute the sequence of states: S=[s₀, s₁, s₂, s₃, s₄, s₅, s₆, s₇, s₈, s₉, s₁₀, s₁₁, s₁₂]. After applying λ, σ, and γ, the permuted sequence is [s₂, s₀, s₃, s₁, s₈, s₆, s₄, s₉, s₇, s₅, s₁₂, s₁₀, s₁₁].

[0107] In general, let D be a sequence of a message [d₀, d₁, d₂, d₃, d₄, . . . d_(n−1)] with n message elements. Choose any sequence of permutations [σ₁, σ₂, . . . σ_(k)], where σ₁ is a permutation of length m₁, σ₂ is a permutation of length m₂, and so forth up to, σ_(k) is a permutation of length k, and all the lengths sum to n. In other words, m₁+m₂+m₃+ . . . +m_(k)=n. Permute the message sequence D with this sequence of permutations so that the new permuted message sequence is [d_(σ) ₁ ₍₀₎, d_(σ) ₁ ₍₁₎, d_(σ) ₁ ₍₂₎, . . . , d_(σ) ₁ _((m) ₁ ⁻¹⁾, d_(σ) ₂ _((0)+m) ₁ , . . . , d_(σ) ₂ _((m) ₂ _(−1)+m) ₁ , d_(σ) ₃ _((0)+m) ₁ _(+m) ₂ , d_(σ) ₃ _((1)+m) ₁ _(+m) ₂ , . . . , d_(σ) ₃ _((m) ₃ _(−1)+m) ₁ _(+m) ₂ , d_(σ) ₄ _((0)+m) ₁ _(+m) ₂ _(+m) ₃ , . . . , d_(σ) _(k) _((m) _(k) _(−1)+n−m) _(k) ].

[0108] Similarly, let S be a sequence of states [s₀, s₁, s₂, s₃, s₄, . . . s_(n−1)] with n elements. Choose any sequence of permutations [σ₁, σ₂, . . . σ_(k)], where σ₁ is a permutation of length m₁, σ₂ is a permutation of length m₂, and so forth, σ_(k) is a permutation of length k, and all the lengths sum to n. In other words, m₁+m₂+m₃+ . . . +m_(k)=n. Permute this sequence of states S so that the new permuted sequence is [s_(σ) ₁ (0), s_(σ) ₁ (1), s_(σ) ₁ (2), . . . , s_(σ) ₁ (m₁−1), s_(σ) ₂ (0)+m₁, . . . , s_(σ) ₂ (m₂−1)+m₁, s_(σ) ₃ (0)+m₁+m₂, s_(σ) ₃ (1)+m₁+m₂, . . . , s_(σ) ₃ (m₃−1)+m₁+m₂, s_(σ) ₄ (0)+m₁+m₂+m₃, . . . , s_(σ) _(k) (m_(k)−1)+n−m_(k)].

[0109] D. The Second Mathematical System

[0110] The second system is a state generator. This system iterates a dynamical system to create this sequence of states. An iterative autonomous dynamical system is created by a function f: X→X, where X is a set, [ROBINSON]. When a function f and an initial orbit point x are chosen, the iteration of ƒ on x creates a sequence of states: [x, ƒ(x), ƒ∘ƒ(x), ƒ∘ƒ∘ƒ(x), . . . ]. This sequence of states is called the orbit of a with the function ƒ. It is also possible to create a sequence of states using a sequence of functions [ƒ₁, ƒ₂, ƒ₃, ƒ₄, . . . ], rather than a single function. The iteration of this collection on an initial orbit point x creates a sequence of states: [x, ƒ₁(x), ƒ₂∘ƒ₁(x), ƒ₃∘ƒ₂∘ƒ₁(x), ƒ₄∘ƒ₃∘ƒ₂∘ƒ₁(x), . . . ]. As the system is iterated, if the function applied sometimes changes, then this is an iterative non-autonomous dynamical system, [FISKE]. An iterative autonomous dynamical system is a special case of a non-autonomous dynamical system. If all the ƒ_(i) represent the same function, then this is the definition of an autonomous dynamical system.

[0111] A smooth dynamical system is created by a vector field on a manifold, [SPIVAK]. If the vector field does not change over time, then it is a smooth autonomous dynamical system. If the vector field changes smoothly over time, then it is a smooth non-autonomous dynamical system. In a smooth dynamical system, one creates a sequence of unpredictable states by sampling the coordinates of the trajectory at successive time intervals: t₀<t₁<t₂< . . .

[0112] E. Iterative Systems with Matrices over

₂

[0113] This subsection explains how to construct a discrete non-autonomous dynamical system, using matrices over the finite field

₂.

₂ is the finite field with two elements: 0 and 1. There are two operations for the finite field

₂, addition and multiplication represented by + and *, respectively. The complete rules for addition are: 0+0=0. 0+1=1. 1+0=1. 1+1=0. The complete rules for multiplication are: 0*0=0. 0*1=0. 1*0=0. 1*1=1.

[0114] Matrices whose entries lie in

₂ can be created. The dot product is defined with matrices that have only one row or one column. Choose the matrix V=(1 0 1). V has 1 row and 3 columns, and is called a 1 by 3 matrix.

[0115] Choose the matrix 3 by 1, $W = {\begin{pmatrix} 0 \\ 1 \\ 1 \end{pmatrix}.}$

[0116] The dot product between v and w is a number in F₂. The computation of the dot product consists of steps i. thru iv.

[0117] i. Multiply the number 1 in the first column of v by the number 0 in the first row of W.

[0118] ii. Multiply the 0 in the second column of v by the 1 in the second row of W.

[0119] iii. Multiply the 1 in the third column of v by the 1 in the third row of W.

[0120] iv. Add the results of i., ii., and iii.

[0121] The dot product computation just described is (1*0)+(0*1)+(1*1)=1.

[0122] In the more general case, v is a 1 by n matrix and w is a n by 1 matrix.

[0123] Choose V=(v₁ v₂ v₃ . . . v_(n)), and $W = {\begin{pmatrix} w_{1} \\ w_{2} \\ w_{3} \\ \ldots \\ w_{n} \end{pmatrix}.}$

[0124] The dot product between V and W is (v₁*w₁)+(v₂*w₂)+(v₃*w₃)++(v_(n)*w_(n)).

[0125] Next, matrix multiplication is defined in terms of the dot product. Choose a 3 by 3 matrix, $A = {\begin{pmatrix} 1 & 0 & 1 \\ 0 & 0 & 1 \\ 0 & 1 & 0 \end{pmatrix}.}$

[0126] Choose a 3 by 1 matrix, $B = {\begin{pmatrix} 1 \\ 1 \\ 0 \end{pmatrix}.}$

[0127] Matrix multiplication A*B is computed by calculating a distinct dot product between each row of matrix A, and the 3 by 1 matrix B. $\begin{matrix} {{A*B} = \begin{pmatrix} 1 & 0 & 1 \\ 0 & 0 & 1 \\ 0 & 1 & 0 \end{pmatrix}} & \quad & {\begin{pmatrix} 1 \\ 1 \\ 0 \end{pmatrix} = \begin{pmatrix} 1 \\ 0 \\ 1 \end{pmatrix}} \end{matrix}$

[0128] The first row of $\begin{pmatrix} 1 \\ 0 \\ 1 \end{pmatrix}\quad$

[0129] is 1 because this matrix entry is computed by calculating the dot product between the first row of A and the matrix B. The first row of A is (1 0 1). This dot product computation is (1*1)+(0*1)+(1*0)=1. The second row of $\begin{pmatrix} 1 \\ 0 \\ 1 \end{pmatrix}\quad$

[0130] is 0 because this matrix entry is computed by calculating the dot product between the second row of A and the matrix B. The second row of A is (0 0 1). This dot product computation is (0*1)+(0*1)+(1*0)=0. The third row of $\begin{pmatrix} 1 \\ 0 \\ 1 \end{pmatrix}\quad$

[0131] is 1 because this matrix entry is computed by calculating the dot product between the third row of A and the matrix B. The third row of A is (0 1 0). This dot product computation is (0*1)+(1*1)+(0*0)=1.

[0132] In general, multiply an n by n matrix $A = \begin{pmatrix} a_{11} & a_{12} & a_{13} & \ldots & a_{1n} \\ a_{21} & a_{22} & a_{23} & \ldots & a_{2n} \\ a_{31} & a_{32} & a_{33} & \ldots & a_{3n} \\ \ldots & \ldots & \ldots & \ldots & \ldots \\ a_{n1} & a_{n2} & a_{n3} & \ldots & a_{nn} \end{pmatrix}$

[0133] by an n by 1 matrix $B = {\begin{pmatrix} b_{11} \\ b_{21} \\ b_{31} \\ \ldots \\ b_{n1} \end{pmatrix}.}$

[0134] The result is an n by 1 matrix ${A*B} = {C = {\begin{pmatrix} c_{11} \\ c_{21} \\ c_{31} \\ \ldots \\ c_{n1} \end{pmatrix}.}}$

[0135] The number in the first row of C equals the dot product between the first row of A and the matrix B. In other words, c₁₁=(a₁₁*b₁₁)+(a₁₂*b₂₁)+(a₁₃*b₃₁)+ . . . +(a_(1n)*b_(n1)) Similarly, the number in the second row of C equals the dot product between the second row of A and the matrix B. In other words, c₂₁=(a₂₁*b₁₁)+(a₂₂*b₂₁)+(a₂₃*b₃₁)+ . . . +(a_(2n)*b_(n1)) The ith row of C equals the dot product between the ith row of A and the matrix B. In other words, c_(i1)=(a_(i1)*b₁₁)+(a_(i2)*b₂₁)+(a_(i3)*b₃₁)+ . . . +(a_(in)*b_(n1))

[0136] Choose A to be a n by n matrix over

₂. Let X_(n) be the set of all n by 1 matrices over F2. The matrix A creates a function A: X_(n)→X_(n) using matrix multiplication.

[0137] Choose s to be a n by 1 matrix lying in X_(n). s is called the initial orbit point. Define A(s)=A*s. As described in subsection D, if A remains changed as the dynamical system is iterated, then A creates a discrete autonomous dynamical system. The orbit of s with respect to A is [s, A*s, A*A*s, A*A*A*s, . . . ]. The n by 1 matrices in the orbit, s, A*s, A*A*s, and so on, are called orbit points. A is called the iterating matrix.

[0138] As the dynamical system is iterated, if the matrix A changes occasionally, then this creates a discrete non-autonomous dynamical system. There are some important goals when changing the iterating matrix.

[0139] Use a small amount of memory.

[0140] Use a small amount of computational time.

[0141] Make sure that the matrix does not become all zeroes.

[0142] If one of the orbit points becomes all zeroes, then there is a way for one of the entries in the future orbit to become non-zero after one or more iterates.

[0143] If the points in the orbit are n by 1 matrices, assure that the orbit of the non-autonomous system reaches every one of the possible 2^(n) matrices (states).

[0144] There are many ways to accomplish these objectives:

[0145] i. Swap rows or columns of the matrix.

[0146] ii. Swap the orbit point with a row or column in the iterating matrix.

[0147] iii. Change entries in the matrix or orbit point from one to zero or zero to one.

[0148] iv. Transpose individual entries in the matrix over time.

[0149] v. Transpose entries from the orbit point with entries in the iterating matrix.

[0150] vi. Rotate the entries in one row of the matrix.

[0151] vii. This method is an enhancement of ii. Replace a row of the matrix A with the sum of the zero repeller and the current orbit point. Replace the current orbit point with the same row of the matrix A. Increase the zero repeller by 1. Below is a section of this code executed in NADO.jar on the CD-ROM.

[0152] temp=(orbitpoint+zerorepeller) ;

[0153] orbitpoint=matrix[rowtoswap][0] ;

[0154] matrix[rowtoswap][0]=temp ;

[0155] zerorepeller + + ;

[0156] There are also a number of ways to decide when to change the matrix. The matrix can be changed after each iteration, or it can be remain unchanged for a number of iterations and then can be changed. If the matrix remains unchanged for a few iterations, this helps reduce computational time.

[0157] The next example illustrates changing the matrix in a non-periodic way. Initialize A and s₀. The subscript denotes the iterate number. $\begin{matrix} {A = {\begin{pmatrix} 0 & 0 & 1 & 1 & 1 & 0 & 1 & 0 \\ 1 & 0 & 1 & 1 & 1 & 1 & 0 & 1 \\ 0 & 1 & 1 & 1 & 1 & 0 & 1 & 1 \\ 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 \\ 0 & 1 & 1 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 & 1 & 1 & 0 \\ 1 & 1 & 1 & 0 & 1 & 0 & 1 & 0 \\ 1 & 1 & 1 & 1 & 1 & 1 & 1 & 0 \end{pmatrix}.}} & \quad & \quad & {s_{0} = {\begin{pmatrix} 0 \\ 0 \\ 1 \\ 1 \\ 0 \\ 1 \\ 1 \\ 0 \end{pmatrix}.}} \end{matrix}$

[0158] After the first and second iterate, the states are $\begin{matrix} {s_{1} = {{A*s_{0}} = \begin{pmatrix} 1 \\ 1 \\ 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 0 \end{pmatrix}}} & \quad & \quad & {and} & \quad & \quad & {s_{2} = {{A*s_{1}} = {\begin{pmatrix} 0 \\ 1 \\ 1 \\ 1 \\ 0 \\ 0 \\ 1 \\ 0 \end{pmatrix}.}}} \end{matrix}$

[0159] Swap s₂ with the first row of A. After the swap, the new values of A and s₂ are $\begin{matrix} {A = {\begin{pmatrix} 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 \\ 1 & 0 & 1 & 1 & 1 & 1 & 0 & 1 \\ 0 & 1 & 1 & 1 & 1 & 0 & 1 & 1 \\ 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 \\ 0 & 1 & 1 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 & 1 & 1 & 0 \\ 1 & 1 & 1 & 0 & 1 & 0 & 1 & 0 \\ 1 & 1 & 1 & 1 & 1 & 1 & 1 & 0 \end{pmatrix}.}} & \quad & \quad & {s_{2} = {\begin{pmatrix} 0 \\ 0 \\ 1 \\ 1 \\ 1 \\ 0 \\ 1 \\ 0 \end{pmatrix}.}} \end{matrix}$

[0160] After the 3rd iterate, $s_{3} = {{A*s_{2}} = {\begin{pmatrix} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 0 \\ 1 \\ 0 \end{pmatrix}.}}$

[0161] Swap the 3rd and the 7th rows of A. After the swap, $A = {\begin{pmatrix} 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 \\ 1 & 0 & 1 & 1 & 1 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0 & 1 & 0 & 1 & 0 \\ 1 & 0 & 0 & 0 & 1 & 0 & 1 & 1 \\ 0 & 1 & 1 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 & 1 & 1 & 0 \\ 0 & 1 & 1 & 1 & 1 & 0 & 1 & 1 \\ 1 & 1 & 1 & 1 & 1 & 1 & 1 & 0 \end{pmatrix}.}$

[0162] After the 4th, 5th, 6th and 7th iterates with no changes made to A, $\begin{matrix} {s_{4} = \begin{pmatrix} 0 \\ 1 \\ 1 \\ 0 \\ 0 \\ 1 \\ 0 \\ 1 \end{pmatrix}} & \quad & {s_{5} = \begin{pmatrix} 0 \\ 1 \\ 0 \\ 1 \\ 0 \\ 1 \\ 1 \\ 1 \end{pmatrix}} & \quad & {s_{6} = \begin{pmatrix} 1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 0 \\ 0 \\ 0 \end{pmatrix}} & \quad & {s_{7} = \begin{pmatrix} 1 \\ 1 \\ 0 \\ 1 \\ 1 \\ 0 \\ 1 \\ 0 \end{pmatrix}} \end{matrix}$

[0163] where s₄=A*s₃, s₅=A*s₄, s₆=A*s₅, and s₇=A*s₆. After flipping the 5th row of s₇ from 1 to 0, $s_{7} = {\begin{pmatrix} 1 \\ 1 \\ 0 \\ 1 \\ 0 \\ 0 \\ 1 \\ 0 \end{pmatrix}.}$

[0164] After the 8th iterate, $s_{8} = {\begin{pmatrix} 1 \\ 0 \\ 1 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0 \end{pmatrix}.}$

[0165] Continue to generate states s₉, s₁₀, . . . indefinitely, changing A or s_(i) in a non-periodic way.

[0166] F. Perturbator

[0167] A Perturbator is a new notion. A general Perturbator is any process that changes some dynamical system in a non-periodic way. The Perturbator described in this section is designed to change A or s_(i) in a non-periodic way; execute fast; and use a small amount of memory.

[0168] Use part of the private key to initialize the integer variables: n, θ, δ, M and c. We prefer to initialize n=0, and the other variables so that M≧θ≧c≧0 and δ>0. The execution of the Perturbator consists of the steps below.

[0169] Add 1 to n. Add 1 to n if (n ≧ θ) {  Set n equal to 0.  Add δ to θ.  Change A or s_(i) using one of the steps i. thru vii.  if (θ > M)  {   Set θ equal to c.   Add 1 to M.  } }

[0170] The computer executes the steps of the Perturbator, after each iteration of the computation s_(i+1)=A*s_(i).

[0171] G. Iterative Systems with Matrices Over any Ring

[0172] All of the methods in the previous section, also hold for any collection of matrices whose entries lie in a mathematical ring. In the previous section, the entries in the matrix were in

2 for clarity. A ring R is any set of elements having the binary operations + and * with the following properties.

[0173] For any elements, x, y in R, both x+y and x*y are in R.

[0174] For any elements, x, y in R, x+y=y+x.

[0175] For any elements, x, y, and z in R, (x+y)+z=x+(y+z).

[0176] There is an identity element 0 with respect to +. For any x in R, 0+x=x+0=x.

[0177] Every element x in R has an additive inverse −x in R so that x+−x=0.

[0178] For any elements, x, y, and z in R, (x*y)*z=x*(y*z).

[0179] There is an identity element 1 with respect to *. For any r in R, 1*r=r*1=r.

[0180] * distributes over +. For any elements, x, y, and z in R, z*(x+y)=z*x+z*y, and (x+y)*z=x*z+y*z.

[0181] Below are some examples of rings whose elements can be in a matrix.

[0182] i. The integers { . . . , −3, −2, −1, 0, 1, 2, 3, . . . } using addition and multiplication.

[0183] ii. The rational numbers with the standard addition and multiplication operations.

[0184] iii. The real numbers with the standard addition and multiplication operations.

[0185] iv. The complex numbers with the standard addition and multiplication operations.

[0186] v. The set of n by n matrices whose entries lie in a field F, including finite fields.

[0187] vi. The set of quaternions constructed over any field, including finite fields. The set of quaternions are the set of all formal symbols a₀+a₁i+a₂j+a₃k, where a₀, a₁, a₂, and a₃ all lie in the same field, F. Addition for two elements in the quaternions is (a₀+a₁i+a₂j+a₃k)+(b₀+b₁i+b₂j+b₃k)=(a₀+b₀)+(a₁+b₁)i+(a₂+b₂)j+(a₃+b₃)k.

[0188] Multiplication for two elements in the quaternions is

[0189] (a₀+a₁i+a₂j+a₃k)*(b₀+b₁i+b₂j+b₃k)=(c₀+c₁i+c₂j+c₃k) where

[0190] c₀=a₀b₀−a₁b₁−a₂b₂−a₃b₃; c₁=a₀b₁+a₁b₀+a₂b₃−a₃b₂; c₂=a₀b₂−a₁b₃+a₂b₀+a₃b₁; and c₃=a₀b₃+a₁b₂−a₂b₁+a₃b₀.

[0191] vii. Any finite ring

_(n). Notice that this includes the particular finite fields:

₂,

₃,

₅,

₇, . . . ,

₃₁, . . . ,

₁₂₇, . . .

[0192] viii. The finite commutative ring with 4 elements R_(i)={0, 1, i, i+1}, where the ring operations + and * satisfy the following rules: 0 is the identity element with respect to +. 1 is the identity element with respect to *. i*i=1. i+i=0. 1+1=0.

[0193] Note: R_(i) is neither isomorphic to

₄, nor isomorphic to

₂×

₂.

[0194] H. Changing a Dynamical System with a Perturbator

[0195] In the Perturbator discussed in section, one can substitute the step, Set M to the next prime number p, for the step Add 1 to M. Further, initialize M to some arbitrary prime number. These substitutions create a different implementation of a Perturbator. An important idea is that if M is changed to a value it has never been assigned, then the dynamical system can be perturbed in a non-periodic way. This idea enables a more general Perturbator that perturbs an arbitrary dynamical system in a non-periodic way. Below are the steps of this more general Perturbator that are executed after each iteration of the dynamical system. Add 1 to n. if (n ≧ θ) {  Set n equal to 0.  Add δ to θ.  Change elements or parameters in the other dynamical system.  if (θ > M)  {   Set θ equal to c.   Change M.  } }

[0196] The most general method is to use a distinct dynamical system P: Y→Y as the Perturbator. As stated in the section that introduces dynamical systems, let ƒ: X→X be any initial function that needs to be transformed into a non-autonomous dynamical system. Initialize D to a subset of Y. The execution steps are: do {  Iterate f: s_(i) = f(s_(i−1)).  Iterate P: y_(i) = P(y_(i−1)).  If (y_(i) lies in D)  {   Change f.   Remove or add elements to D.  } } while (More states s_(i) need to be generated)

[0197] I. Non-Autonomous Systems Using Permutations

[0198] The goal here is to create a sequence of states using a sequence of permutations. Choose an initial permutation σ with length L. Initialize the state number variable i to 0. Initialize variables k and j to two natural numbers lying in the set {0, 1, 2, 3, . . . , (L−1)}. Steps A thru E are executed inside of a loop. The number of times the loop is executed determines the number of states generated in the sequence. The system described below generates a sequence of states, [s₀, s₁, s₂, . . . ].

[0199] A Set k equal to (k+1) modulo L.

[0200] B Set j equal to (j+σ⁻¹(k)) modulo L.

[0201] C Set state s_(i) equal to σ((σ(k)+σ(j)) modulo L).

[0202] D Set the state number i equal to i+1.

[0203] E Transpose the σ⁻¹(k)th entry and σ⁻¹(j)th entry in σ.

[0204] In current technology, data written to and read from streams is often in bytes. A byte represents 2⁸=256 distinct values. Thus, steps A thru E are illustrated on a permutation of length 256. Choose σ as:

[0205] [44, 248, 189, 104, 187, 201, 127, 226, 220, 136, 155, 237, 86, 144, 166, 27, 152, 204, 150, 202, 114, 157, 67, 245, 172, 22, 89, 167, 214, 145, 42, 191, 57, 77, 186, 251, 31, 161, 221, 111, 250, 51, 117, 205, 0, 48, 79, 165, 76, 209, 181, 151, 198, 78, 200, 129, 179, 49, 230, 3, 102, 222, 146, 203, 30, 227, 70, 196, 140, 109, 177, 63, 32, 75, 228, 178, 253, 43, 10, 105, 38, 128, 11, 174, 23, 215, 25, 223, 110, 182, 137, 216, 176, 229, 141, 163, 212, 94, 143, 193, 219, 88, 133, 218, 197, 180, 90, 171, 255, 84, 95, 81, 124, 185, 108, 121, 247, 194, 87, 40, 9, 41, 238, 92, 131, 168, 184, 115, 2, 14, 54, 103, 17, 122, 26, 192, 246, 4, 208, 225, 71, 119, 126, 118, 33, 130, 183, 46, 101, 159, 224, 1, 125, 142, 107, 217, 37, 234, 242, 15, 35, 239, 211, 236, 65, 154, 16, 5, 34, 98, 61, 156, 53, 6, 59, 100, 162, 116, 206, 68, 169, 85, 58, 113, 45, 62, 148, 106, 243, 249, 7, 55, 147, 66, 91, 233, 39, 36, 47, 190, 252, 29, 235, 82, 96, 60, 188, 97, 18, 213, 24, 153, 240, 158, 195, 139, 232, 72, 120, 93, 135, 210, 199, 164, 149, 99, 160, 134, 13, 19, 83, 52, 132, 175, 231, 123, 241, 28, 207, 73, 112, 64, 50, 12, 80, 74, 20, 56, 8, 173, 254, 138, 244, 170, 69, 21].

[0206] Executing steps A thru E in a loop ten times, the first ten states are:

[0207] [s₀, s₁, s₂, s₃, s₄, s₅, s₆, s₇, s₈, s₉]=[224, 104, 158, 8, 149, 5, 133, 0, 21, 198].

[0208] Steps A thru E are described in more detail to show how the states are generated. Initialize j=143 and k=255.

[0209] At step A, k is set equal to 0 because 255+1 modulo 256 equals 0.

[0210] At step B, j is set equal to (143+σ⁻¹(0)) modulo 256. Since σ(44)=0, σ⁻¹(0)=44. Thus, after step B, j=187.

[0211] At step C, σ((σ(0)+σ(187)) modulo 256)=σ((44+106) modulo 256)=σ(150)=224 so state s₀=224.

[0212] At step D, add 1 to i, so i=1.

[0213] At step E, the simplest way to understand this step is to recognize that for any number m the σ⁻¹(m)th entry in σ is m. With this in mind, since k=0 and j=187, swap 0 and 187. The two entries swapped are shown in bold. After this transposition, the new value of σ is:

[0214] [44, 248, 189, 104, 0, 201, 127, 226, 220, 136, 155, 237, 86, 144, 166, 27, 152, 204, 150, 202, 114, 157, 67, 245, 172, 22, 89, 167, 214, 145, 42, 191, 57, 77, 186, 251, 31, 161, 221, 111, 250, 51, 117, 205, 187, 48, 79, 165, 76, 209, 181, 151, 198, 78, 200, 129, 179, 49, 230, 3, 102, 222, 146, 203, 30, 227, 70, 196, 140, 109, 177, 63, 32, 75, 228, 178, 253, 43, 10, 105, 38, 128, 11, 174, 23, 215, 25, 223, 110, 182, 137, 216, 176, 229, 141, 163, 212, 94, 143, 193, 219, 88, 133, 218, 197, 180, 90, 171, 255, 84, 95, 81, 124, 185, 108, 121, 247, 194, 87, 40, 9, 41, 238, 92, 131, 168, 184, 115, 2, 14, 54, 103, 17, 122, 26, 192, 246, 4, 208, 225, 71, 119, 126, 118, 33, 130, 183, 46, 101, 159, 224, 1, 125, 142, 107, 217, 37, 234, 242, 15, 35, 239, 211, 236, 65, 154, 16, 5, 34, 98, 61, 156, 53, 6, 59, 100, 162, 116, 206, 68, 169, 85, 58, 113, 45, 62, 148, 106, 243, 249, 7, 55, 147, 66, 91, 233, 39, 36, 47, 190, 252, 29, 235, 82, 96, 60, 188, 97, 18, 213, 24, 153, 240, 158, 195, 139, 232, 72, 120, 93, 135, 210, 199, 164, 149, 99, 160, 134, 13, 19, 83, 52, 132, 175, 231, 123, 241, 28, 207, 73, 112, 64, 50, 12, 80, 74, 20, 56, 8, 173, 254, 138, 244, 170, 69, 21].

[0215] These steps A thru E can be executed as many times as needed to create a sequence of states. Further, the order in which steps A thru E are executed can also be changed.

[0216] If smaller keys are the primary goal in the encryption system, use the same steps A thru E on a permutation with a smaller length. For example if σ has length 64, then each state s_(i) generated in step C is a number ranging from 0 to 63. This state s_(i) can be used to encrypt 6 bits of a message because 64=2⁶.

[0217] This paragraph presents the concept of eventual periodicity. A sequence of states [s₀, s₁, s₂, . . . ] is eventually periodic if there are two positive integers k and n such that for each integer j between 0 and n−1 inclusive s_(k+j)=s_(k+j+mn) for every integer m≧0. This sequence eventually has a period of n and that k is the threshold for this eventual periodicity.

[0218] As an example, the sequence [2, 7, 4, 3, 5, 1, 3, 5, 1, 3, 5, 1, . . . ] is eventually periodic because it eventually starts to repeat 3, 5, 1, 3, 5, 1, 3, 5, 1, . . . . It has a threshold k=3 and period n=3. As another example, the sequence [1, 0, 4, 3, 5, 7, 8, 2, 1, 7, 8, 2, 1, 7, 8, 2, 1, . . . ] is eventually periodic with k=5 and period n=4.

[0219] It can be mathematically shown that a broad class of current encryption algorithms generate a sequence of states that is eventually periodic. Some members of the cryptographic community believe that the encrypted message is not vulnerable if the threshold k or the period n are sufficiently large. However, there are methods in the field of dynamical systems to develop predictive models of this type of behavior. In the future, it is possible that someone could propose a method of using this eventual periodicity to decode an encrypted message even for extremely large periods.

[0220] There is a simple computationally efficient way to break up eventual periodicity. Use a Perturbator to change a in a non-periodic way. As stated before, in the Perturbator section, initialize the integer variables: n, θ, δ, M and c. We prefer to initialize n=0, and initialize the other variables so that M>θ≧c≧0 and δ>0. Our software implementation of a Perturbator consists of the following steps. Add 1 to n. if (n ≧ θ) {  Set n equal to 0.  Add δ to θ.  Change σ.  if (θ > M)  {   Set θ equal to c.   Add 1 to M.  } }

[0221] In the step, Change σ, there are two preferred ways to do this. The first way is to transpose two elements of σwhen execution speed is more important. A second way is to rotate σ. The file NADO.jar changes σ using a rotation.

[0222] Below is a summary of the preferred method to generate a sequence of states, [s₀, s₁, s₂, . . . ], using a non-autonomous system built from permutations. do {  A Set k equal to (k + 1) modulo L.  B Set j equal to (j + σ⁻¹(k)) modulo L.  C Set state s_(i) equal to σ((σ(k) + σ(j)) modulo L).  D Set the state number i equal to i + 1.  E Transpose the σ⁻¹(k)th entry and σ⁻¹(j)th entry in σ.  F Execute a Perturbator to change σ in a non-periodic way. } while (More states s_(i) need to be generated)

[0223] Any reordering of the steps A thru F inside the do-while loop will work as well to generate a sequence of states. Further, step E can be removed, if the Perturbator in step F uses transpositions to change σ, σ changes frequently, and the Perturbator changes σ in a non-periodic way.

[0224] An alternative is to use more than one permutation to generate an unpredictable sequence of states. As an example, initialize two distinct permutations σ₁, σ₂ of length L. Initialize non-negative integers j₁, j₂, and k. Set i equal to 0. do {  A Set k equal to (k + 1) modulo L.  B Set j_(i) equal to (j₁ + σ⁻¹ ₁(k)) modulo L.  C Set state s_(i) equal to σ₁((σ₁(j₁) + σ₂(k)) modulo L).  D Set state s_(i+1) equal to σ⁻¹ ₂((σ⁻¹ ₁(j₂) + σ⁻¹ ₂(j₁)) modudo L).  E Set j₂ equal to (j₂ + σ⁻¹ ₂(k)) modulo L.  F Set state s_(i+2) equal to σ⁻¹ ₁((σ⁻¹ ₁(k) + σ⁻¹ ₂(j₂)) modulo L).  G Set state s_(i+3) equal to σ₂((σ₁(j₂) + σ₂(j₁)) modulo L).  H Transpose the σ⁻¹ ₁(k)th entry and σ₂(j₂)th entry in σ₁.  I Transpose the σ⁻¹ ₂(k)th entry and σ₁(j₁)th entry in σ₂.  J Execute a Perturbator to change σ₁ in a non-periodic way.  K Execute a Perturbator to change σ₂ in a non-periodic way.  L Set the state number i equal to i + 4. } while (More states s_(i) need to be generated)

[0225] The previous method with two permutations, approximately doubles the memory use and approximately doubles the speed. The spirit of this method can be extended to 3 or more permutations, when speed is a higher priority than memory usage.

[0226] J. Building NADO with a Key

[0227] A NADO key is a collection of integers, or a sequence of bits interpreted as a collection of integers. NADO uses one integer for the initial orbit point. NADO uses 3 positive integers and 1 non-negative integer for the initialization of θ, δ, M and c in the Perturbator, described in subsections VI.F and VI.H.

[0228] To generate a permutation σ, first initialize σ to the identity permutation, where n is the size of σ. A part of the NADO key can be a sequence of non-negative integers, denoted as k₀, k₁, . . . , k_(m). In the case when the following three conditions hold:

[0229] m+1 equals n.

[0230] The numbers k₀, k₁, . . . , k_(m) satisfy 1≦k_(i)≦n.

[0231] k₀, k₁, . . . , k_(m) are chosen with an excellent random number generator.

[0232] then initialize σ equal to [k₀, k₁, k₂, . . . k_(m)].

[0233] If the above three conditions do not hold, then execute the following steps to initialize σ. Initialize r and q to 1. while (r ≦ n) {  Set v equal to r modulo (m + 1).  Set q equal to (k_(v) + q − σ⁻¹(r)) modulo n.  Transpose the rth and σ⁻¹(q + 1)th entries in σ.  Increment r by 1. }

[0234] An n by n matrix over

₂ is initialized by the key as follows. First, a permutation-based non-autonomous dynamical system is initialized as described above. Then this system is iterated to build the matrix. This system's state after each iteration is 1 byte, which represents a sequence of 8 ones and zeros. This sequence of ones and zeros is stored in the n by n matrix over

₂.

[0235] The part of the key that is used to build the matrix is contained in the array of integers, int[ ] values. The two dimensional array matrix[i][k] represents the n by n matrix over

₂. The method call PermutationOrbitor.create(256, values) creates a non-autonomous dynamical system, using a sequence of permutations of size 256. The method call po.state( ) returns the system's state. The section of JAVA code below illustrates this in more detail: int[] bytes = { 0, 0, 0, 0 }; int[] shiftbits = { 0, 8, 16, 24 }; PermutationOrbitor po = PermutationOrbitor.create(256, values); for(int i = 0; i < numrows; i++) for(int k = 0; k < numcolumns; k++) {  for(int q = 0; q < 4; q++)  {   po.iterate( );   bytes[q] = (po.state( ) << shiftbits[q]);  }  matrix[i][k] = (bytes[0]

bytes[1]

 bytes[2]

bytes[3]); }

[0236] This method of initializing an n by n matrix is highly effective at generating an unpredictable sequence of ones and zeros even with an extremely small, poor key. As an example, using only 4 small integers, values[0]=1, values[1]=2, values[2]=1, and values[3]=1, the code in NADO.jar generates the 32 by 32 matrix: $\begin{matrix} {1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0} \\ {0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1} \\ {0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1} \\ {0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0} \\ {1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1} \\ {1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0} \\ {1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0} \\ {1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0} \\ {1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1} \\ {0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 10\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1} \\ {0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 0} \\ {1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0} \\ {0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0} \\ {0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0} \\ {1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0} \\ {1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1} \\ {1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0} \\ {0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0} \\ {0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1} \\ {1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1} \\ {0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0} \\ {0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0} \\ {0\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0} \\ {1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1} \\ {0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0} \\ {0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0} \\ {0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 1\quad 1} \\ {1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0} \\ {1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0} \\ {1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1} \\ {1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 1\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0} \\ {1\quad 1\quad 0\quad 0\quad 1\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 0\quad 0\quad 0\quad 1\quad 0\quad 1\quad 1\quad 0\quad 0\quad 1\quad 1\quad 1\quad 1\quad 0\quad 1\quad 0\quad 1\quad 0\quad 0\quad 0} \end{matrix}$

[0237] In NADO.jar, the non-autonomous system used in the encryption and decryption process depends on the key. In particular, from the key the parities of integers are determined. If the sum of the parities modulo 2 is 1, then the non-autonomous system is generated by a 32 by 32 matrix with entries in 2. If the sum modulo 2 is 0, then it is generated by a non-autonomous system of permutations of size 256, as described in subsection VI.I.

[0238] Keep in mind that in the general NADO cryptographic process, there is the choice of implementing one or more non-autonomous dynamical systems. If the choice is to implement only one, then, for example, an implementation might only use a 64 by 64 matrix with entries in F₂ to generate the non-autonomous system. In this case, even if the key changes, this implementation would still use a 64 by 64 matrix with entries in F₂. As a different example, an implementation might only use a non-autonomous system of permutations. In this case, even if the key changes, this implementation would still use a non-autonomous system of permutations.

[0239] K. Key Distribution

[0240] NADO uses a symmetric private key. There are different ways to distribute the key.

[0241] i. The sender uses an excellent random number generator to build the private key for NADO. At the beginning of the conversation or data exchange, the sending agent sends the NADO private key to the receiving agent using a public-private key system. After the private key has been sent, the public-private key system is no longer needed. [SCHNEIER] describes a number of protocols that describe how to exchange keys using public-private key methods. Some of these protocols for key exchange using a public-private key method are: Interlock, Dass, Denning-Sacco, Woo-Lam.

[0242] This technique greatly enhances the speed at which two parties can communicate in a secure way, as NADO encrypts and decrypts at a much faster rate then public-private key cryptographic methods. (See subsection N.)

[0243] ii. In applications where the number of potential recipients of an encrypted transmission is small and the recipients are known beforehand, the sending and receiving agents can agree to have the private key transmitted in a secure way. A courier may hand-carry the key. There are also a number of automated ways described in [SCHNEIER]: Wide-Mouth tog, Yahalom, Needhan-Schroeder, Otway-Rees, Kerberos, Neuman-Stubblebine.

[0244] Method i. is superior when the number of potential recipients of an encrypted transmission is large and potential recipients are unknown. These applications include:

[0245] Secure wireless applications such as cell phone conversations, wireless e-mail transmissions, wireless transactions, wireless e-commerce, and satellite transmissions.

[0246] Secure software applications such as e-mail applications, enterprise computing, online e-commerce, online messaging, enterprise portal software, and other internet applications.

[0247] Method ii. is preferred for military applications and specialized banking applications, when there are a small number of people communicating, and there is a high degree of confidence that the private key will not be intercepted and stolen.

[0248] L. Instructions on the Use of NADO.jar

[0249] On the CD-ROM, the file NADO.jar contains JAVA byte code that executes on a JAVA virtual machine. A JAVA virtual machine should be installed, and the system variable CLASSPATH should contain the directory path that NADO.jar is in. The main class in NADO.jar is NADO.class. NADO.class enables four different commands by calling four static methods: buildKey, encrypt, decrypt, and main.

[0250] Using arrays of integers as input, the first static method allows the user to create an object NADOKey which stores the NADO private key.

[0251] public static NADOKey buildKey(int[ ] ai0, int[ ] ai1, int[ ] ai2, int[ ] ai3)

[0252] The four arguments ai0, ai1, ai2, and ai3 store arrays of integers used to initialize the perturbator, the sequence of permutations, the orbit point, and the non-autonomous dynamical system. NADO.class assumes that these arrays of integers have already been generated elsewhere by a random generator, and distributed securely. The object NADOKey returned by method buildKey can be used as an argument by the next two methods encrypt and decrypt.

[0253] The second static method enables a user to read a message coming from Input-Stream plain, encrypt this message using the argument ky, and write the ciphertext to OutputStream cipher.

[0254] public static void encrypt(InputStream plain, OutputStream cipher, NADOKey ky)

[0255] The third static method enables a user to read ciphertext coming from InputStream cipher, decrypt the ciphertext using the argument ky, and write the message to Output-Stream decipher.

[0256] public static void decrypt(InputStream cipher, OutputStream decipher, NADOKey ky)

[0257] Because of the generality of the JAVA classes InputStream and OutputStream, the methods buildKey, encrypt and decrypt in NADO.jar enable a wide variety of encryption/decryption applications.

[0258] The fourth static method main enables the user to encrypt and decrypt files from the command line. main expects the files 032.txt, M32.txt, P.txt, and N.txt to be in the same directory as NADO.jar. 032.txt stores a single integer, and M32.txt, P.txt, and N.txt store integers that make up the NADO key. The encrypted and decrypted files should lie in the subdirectory /text. As an example, the command java NADO E plain1.txt reads the message in the file plain1.txt and writes the ciphertext to the file cipher32_plain1.txt. The command java NADO D cipher32_plain1.txt reads the encrypted file cipher32_plain1.txt, decrypts it, and writes the resulting message to plain1.txt. These commands must be typed in from the same directory as NADO.jar.

[0259] On the CD-ROM, there are two files cipher32_plain1.txt and cipher32_plain2.txt in the subdirectory/text. These two files were encrypted by NADO.jar.

[0260] M. Performance of NADO.jar

[0261] NADO.jar is fast enough to execute real-time encryption and decryption on wireless devices such as cell phones and other consumer products; to execute real-time encryption/decryption of data in military applications such as theatre missile defense; and to perform real-time encryption for high speed networking applications.

[0262] NADO.jar encrypts and decrypts uncompressed information at a speed ranging from 180,000 to 210,000 bytes per second, on a laptop computer running an Intel 150 Mhz Pentium x86 Family5 Model4 microprocessor. On a laptop computer running an Intel 996 Mhz Pentium III microprocessor, NADO.jar encrypts and decrypts uncompressed information at a speeding ranging from 2,200,000 to 2,400,000 bytes per second.

[0263] These speeds do not measure the amount of time to read from the input file and write to the output file because hard drive speeds vary considerably. Furthermore, in some cryptography applications, reading and writing to a file does not occur. Currently, cell phones and some handheld computers do not have a hard drive. Current cell phone technology requires a speed of 20,000 bits per second to perform real-time encryption, which is equivalent to 2,500 bytes per second (1 byte=8 bits). At these speeds, NADO easily enables real-time encryption and decryption on cell phones and wireless PDAs. NADO.jar uses 10,241 bytes of memory, so it can run on devices such as PDAs, cell phones, and small embedded military applications. Since NADO implementations in C or assembly code will be far more efficient, a C or assembly code implementation of NADO should take up less than 5,000 bytes of memory, and execute 10 to 100 times faster than the speeds stated here.

DESCRIPTION OF ALTERNATIVE EMBODIMENTS

[0264] This section describes alternative embodiments of NADO.

[0265] Alternative 1. In cases where speed and a smaller key size is important, this alternative uses only a sequence of permutations to change the order of the message. This process is outlined in subsection VI.A, step ii of method A and step iii of method B. This process is described in detail in subsection VI.C. As shown in subsection VI.C., each permutation in the sequence may have a different length.

[0266] Alternative 2. This alternative is an extension of alternative 1. In addition to a sequence of permutations to reorder the message, it also uses a Perturbator to change the sequence of permutations in a non-periodic way.

[0267] Alternative 3. This alternative uses only a non-autonomous dynamical system to create a sequence of unpredictable states. This process is introduced in subsection VI.D. This process is covered in detail in subsections VI.E, VI.G, and VI.I.

[0268] Alternative 4. This alternative is an extension of alternative 3. In addition to a non-autonomous dynamical system to create a sequence of unpredictable states, it uses a Perturbator to change the non-autonomous system in a non-periodic way.

[0269] Alternative 5. This alternative is an extension of alternatives 1 and 3. It uses a sequence of permutations to reorder the message or states, and a non-autonomous dynamical system to create a sequence of unpredictable states, but does not use Perturbators.

[0270] Alternative 6. This alternative uses part of the cryptographic process to generate pseudo-random numbers. As introduced in section VI.D and discussed in detail in sections VI.E, VI.G, and VI.I, NADO generates a sequence of unpredictable states: [s_(i) ₀ , s_(i) ₁ , s_(i) ₂ , s_(i) ₃ , . . . ]. In the case when these states come from a matrix over

₂, then the states are sequences of 1's and 0's. This sequence of ones and zeroes can be converted to pseudo-random integers or pseudo-random rational numbers by sampling enough ones and zeroes and then using linear interpolation between the smallest and largest numbers allowed. If a sequence of permutations generates the states, then just convert each state to a sequence of ones and zeroes, and repeat the steps just described. Converting the states to ones and zeroes is straightforward. First, make sure that the size of the permutations is a power of 2. As an example, if the size of the permutations is 256, then each state is a number between 0 and 255, inclusive. Each state can be easily converted to its 8 bit binary representation. Some of these conversions are listed: 0→[00000000], 1→[00000001], 2→[00000010], 3→[00000011], 4→[00000100], 5→[00000101], 6→[00000110], 7→[00000111], 8→[00001000], . . . , 15→[00001111], 16→[00010000], 17→[00010001], . . . , 31→[00011111], 32→[00100000], 33→[00100001], . . . , 63→[00111111], 64 [01000000], 65→[01000001], . . . , 127→[01111111], 128→[10000000], 129→[10000001], . . . , 255→[11111111].

[0271] Alternative 7. As explained in alternative 6, pseudo-random numbers can be generated. These pseudo-random numbers can be used to build keys in a distinct encryption/decryption system. This distinct encryption/decryption device could be implemented with the DES algorithm, or some other well-known encryption algorithm, or even the NADO encryption/decryption process. Thus, NADO can be used to generate keys.

CONCLUSIONS, RAMIFICATIONS, AND SCOPE OF INVENTION

[0272] The process for encrypting and decrypting information makes use of three novel processes in cryptography: (1) A sequence of permutations which scrambles and spreads out the encrypted message; (2) A non-autonomous dynamical system to generate an unpredictable sequence of states; (3) One or more perturbators which perturb both the non-autonomous dynamical system and the sequence of permutations in a non-periodic way. As discussed in section VII, there are alternative embodiments that use particular combinations of (1), (2), and (3).

[0273] While NADO has been described in complete detail, and two implementations are demonstrated in JAVA byte code, NADO is not to be limited to such details, since many changes and modifications may be made to NADO without departing, from the spirit and scope thereof. Persons of ordinary skill in the art may implement the invention in various ways and configurations that embody the subject matter encompassed literally and by equivalents in the following claims. Hence, NADO is described to cover any and all modifications and forms which may come within the language and scope of the claims. 

I claim:
 1. A method of encrypting and decrypting information, comprising: (a) providing information and a key, (b) using said key to help construct a state generator and a sequence of permutations, (c) constructing a sequence of states with said state generator, and permuting said information with said sequence of permutations, (d) encrypting said information with said sequence of states if the permuted information is a message and decrypting said information with said sequence of states if the permuted information is ciphertext.
 2. The method of claim 1 wherein a perturbator changes a permutation to help generate said sequence of permutations.
 3. The method of claim 1 wherein said method is used in a consumer product.
 4. The method of claim 1 wherein said method is used in a wireless application.
 5. The method of claim 1 wherein in (d) encrypting and decrypting use one of the following functions: an exclusive-or function, an addition modulo L function, a subtraction modulo L function, or a permutation function.
 6. The method of claim 1 wherein said state generator is a dynamical system.
 7. The method of claim 6 wherein said dynamical system is iterative.
 8. The method of claim 6 wherein said dynamical system is non-iterative.
 9. The method of claim 6 wherein said dynamical system is non-autonomous.
 10. The method of claim 6 wherein a matrix is used to generate said dynamical system.
 11. The method of claim 10 wherein said matrix is changed with a perturbator.
 12. The method of claim 11 wherein said perturbator uses a zero repeller.
 13. The method of claim 6 wherein one or more permutations are used to generate said dynamical system.
 14. The method of claim 13 wherein said permutations, that generate said dynamical system, create said sequence of states.
 15. The method of claim 13 wherein said permutations are changed with a perturbator.
 16. The method of claim 6 wherein said dynamical system is changed with a perturbator.
 17. The method of claim 16 wherein said perturbator is implemented with a dynamical system.
 18. A method of encrypting and decrypting information, comprising: (a) providing information and a key, (b) using said key to help construct a state generator and a sequence of permutations, (c) constructing a sequence of states with said state generator, (d) permuting said sequence of states with said sequence of permutations, (e) encrypting said information with the permuted sequence of states if said information is a message and decrypting said information with the permuted sequence of states if said information is ciphertext.
 19. The method of claim 18 wherein a perturbator changes a permutation to help generate said sequence of permutations.
 20. The method of claim 18 wherein said method is used in a consumer product.
 21. The method of claim 18 wherein said method is used in a wireless application.
 22. The method of claim 18 wherein in (e) encrypting and decrypting use one of the following functions: an exclusive-or function, an addition modulo L function, a subtraction modulo L function, or a permutation function.
 23. The method of claim 18 wherein said state generator is a dynamical system.
 24. The method of claim 23 wherein said dynamical system is iterative.
 25. The method of claim 23 wherein said dynamical system is non-iterative.
 26. The method of claim 23 wherein said dynamical system is non-autonomous.
 27. The method of claim 23 wherein a matrix is used to generate said dynamical system.
 28. The method of claim 27 wherein said matrix is changed with a perturbator.
 29. The method of claim 28 wherein said perturbator uses a zero repeller.
 30. The method of claim 23 wherein one or more permutations are used to generate said dynamical system.
 31. The method of claim 30 wherein said permutations, that generate said dynamical system, create said sequence of states.
 32. The method of claim 30 wherein said permutations are changed with a perturbator.
 33. The method of claim 23 wherein said dynamical system is changed with a perturbator.
 34. The method of claim 33 wherein said perturbator is implemented with a dynamical system.
 35. A cryptographic machine, comprising: (a) information, (b) a sequence of permutations, which permutes said information, (c) a state generator, which constructs a sequence of states, (d) a key, which determines said sequence of permutations and said state generator. whereby if the permuted information is a permuted message, then said sequence of states encrypts said permuted message and if the permuted information is permuted ciphertext then said sequence of states decrypts said permuted ciphertext.
 36. The machine of claim 35 wherein a perturbator changes a permutation to help generate said sequence of permutations.
 37. The machine of claim 35 wherein said machine runs in a consumer product.
 38. The machine of claim 35 wherein said machine runs in a wireless application.
 39. The machine of claim 35 wherein the encryption and decryption use one of the following functions: an exclusive-or function, an addition modulo L function, a subtraction modulo L function, or a permutation function.
 40. The machine of claim 35 wherein said state generator is a dynamical system.
 41. The machine of claim 40 wherein said dynamical system is iterative.
 42. The machine of claim 40 wherein said dynamical system is non-iterative.
 43. The machine of claim 40 wherein said dynamical system is non-autonomous.
 44. The machine of claim 40 wherein a matrix is used to generate said dynamical system.
 45. The machine of claim 44 wherein said matrix is changed with a perturbator.
 46. The machine of claim 45 wherein said perturbator uses a zero repeller.
 47. The machine of claim 40 wherein one or more permutations are used to generate said dynamical system.
 48. The machine of claim 47 wherein said permutations, that generate said dynamical system, create said sequence of states.
 49. The machine of claim 47 wherein said permutations are changed with a perturbator.
 50. The machine of claim 40 wherein said dynamical system is changed with a perturbator.
 51. The machine of claim 50 wherein said perturbator is implemented with a dynamical system.
 52. A cryptography machine, comprising: (a) information (b) a state generator, which constructs a sequence of states, (c) a sequence of permutations, which permutes said sequence of states, (d) a key, which determines said state generator and said sequence of permutations, whereby if said information is a message, then the permuted sequence of states encrypts said message and if said information is ciphertext then the permuted sequence of states decrypts said ciphertext.
 53. The machine of claim 52 wherein a perturbator changes a permutation to help generate said sequence of permutations.
 54. The machine of claim 52 wherein said machine runs in a consumer product.
 55. The machine of claim 52 wherein said machine runs in a wireless application.
 56. The machine of claim 52 wherein the encryption and decryption use one of the following functions: an exclusive-or function, an addition modulo L function, a subtraction modulo L function, or a permutation function.
 57. The machine of claim 52 wherein said state generator is a dynamical system.
 58. The machine of claim 57 wherein said dynamical system is iterative.
 59. The machine of claim 57 wherein said dynamical system is non-iterative.
 60. The machine of claim 57 wherein said dynamical system is non-autonomous.
 61. The machine of claim 57 wherein a matrix is used to generate said dynamical system.
 62. The machine of claim 61 wherein said matrix is changed with a perturbator.
 63. The machine of claim 62 wherein said perturbator uses a zero repeller.
 64. The machine of claim 57 wherein one or more permutations are used to generate said dynamical system.
 65. The machine of claim 64 wherein said permutations, that generate said dynamical system, create said sequence of states.
 66. The machine of claim 64 wherein said permutations are changed with a perturbator.
 67. The machine of claim 57 wherein said dynamical system is changed with a perturbator.
 68. The machine of claim 67 wherein said perturbator is implemented with a dynamical system.
 69. A cryptographic machine, comprising: (a) information (b) one or more non-autonomous dynamical systems, which generate a sequence of states, (c) a key which determines each said non-autonomous dynamical system whereby if said information is a message, then said machine encrypts said message using the states of one or more of said non-autonomous dynamical systems and if said information is ciphertext, then machine decrypts said ciphertext using the states of one or more of said non-autonomous dynamical systems.
 70. The machine of claim 69 wherein each said non-autonomous dynamical system is implemented with a distinct sequence of permutations.
 71. The machine of claim 69 wherein each said sequence of permutations is implemented using a perturbator.
 72. The machine of claim 69 wherein said method is used in a consumer product.
 73. A method of encrypting and decrypting information, comprising: (a) providing information and a key, (b) using said key to help construct a sequence of permutations, (c) encrypting said information with said sequence of permutations if said information is a message and decrypting said information with said sequence of permutations if said information is ciphertext.
 74. The method of claim 73 wherein a perturbator changes a permutation to help generate said sequence of permutations.
 75. The method of claim 73 wherein said method is used in a wireless application.
 76. The method of claim 73 wherein said method is used in a consumer product.
 77. A method of generating random numbers, comprising: (a) providing a state generator and sequence of permutations, (b) generating a sequence of states with said state generator, (c) permuting sequence of states with said sequence of permutations, (d) extracting random numbers from the permuted sequence of states.
 78. The method of claim 77 wherein said random numbers are used as encryption and decryption keys. 